Cryptographically secure machine learning

ABSTRACT

Embodiments are directed towards classifying data. A machine learning (ML) engine may select an ML model that may employ a cryptographic multi-party computation (MPC) protocol based on model preferences, including a parameter model, provided by a client. A randomness engine may be employed to provide random values and other random values based on the MPC protocol such that the random values may be provided to the client and the other random values may be provided to an answer engine. Input values that correspond to fields in the parameter model may be provided by the client such that the input values may be based on the MPC protocol and the random values. The answer engine may be employed to provide partial results to the question based on the ML model, the input values, and the MPC protocol that may be provided to the client.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This Utility patent application is a Continuation of U.S. patentapplication Ser. No. 15/913,864 filed on Mar. 6, 2018, now U.S. Pat. No.10,198,399 issued on Feb. 5, 2019, the benefit of which is claimed under35 U.S.C. § 120, and the contents of which is further incorporated inentirety by reference.

TECHNICAL FIELD

The present invention relates generally to machine learning and, moreparticularly, but not exclusively to methods for sharing or distributingmachine learning models.

BACKGROUND

Machine learning is increasingly playing a larger and more importantrole in developing or improving the understanding of complex systems. Asmachine learning techniques have matured, machine learning has rapidlymoved from the theoretical to the practical. Combined with the advent ofbig-data technology, machine learning solutions are being applied to avariety of industries and applications that until now were difficult, ifnot impossible to effectively reason about. As such, there has been anexplosion of the development of different types of machine learningmodels that may be used predicting outcomes for different system. Insome cases, some organizations may expend significant resources todevelop or train machine learning models directed to different questionspaces. Also, since training and tuning machine learning models may bedifficult or time consuming, other organizations may be interested inusing machine learning models that have been trained and tuned by otherorganizations. However, using public or shared machine learning modelsmay be difficult for organizations that have secret or privateinformation they are interested in classifying using otherorganizations' machine learning models. For example, undesirable sharingof private or confidential information with the owner of the sharedmachine learning models may be required. Likewise, other organizationsthat own trained models may be discouraged from sharing their trainedmodels with others. For example, developing, training, or tuning machinelearning models may be expensive or proprietary. Thus, in this example,simply providing a tuned and trained model to another organization maybe disadvantageous since some or all of the internal details developedthrough training or tuning may be discernable by others when using it.

Accordingly, practical sharing, or the like, of machine learning modelsmay be difficult and impractical. Thus, it is with respect to theseconsiderations and others that the invention has been made.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments of the present innovationsare described with reference to the following drawings. In the drawings,like reference numerals refer to like parts throughout the variousfigures unless otherwise specified. For a better understanding of thedescribed innovations, reference will be made to the following DetailedDescription of the Various Embodiments, which is to be read inassociation with the accompanying drawings, wherein:

FIG. 1 illustrates a system environment in which various embodiments maybe implemented;

FIG. 2 shows a schematic embodiment of a client computer;

FIG. 3 illustrates a schematic embodiment of a network computer;

FIG. 4 shows a logical schematic of a portion of a machine learningplatform system for cryptographically secure machine learning inaccordance with one or more of the various embodiments;

FIG. 5 illustrates a logical representation of a tree model that may bepart of a secure ML model in accordance with one or more of the variousembodiments;

FIG. 6 illustrates logical representation of a machine learning (ML)model envelope for scoring model objects in accordance with one or morethe various embodiments;

FIG. 7 illustrates a logical representation of s system for mappinginput data to ML parameter models in accordance with one or more of thevarious embodiments;

FIG. 8A illustrates a logical schematic of a system forcryptographically secure machine learning in accordance with one or moreof the various embodiments;

FIG. 8B illustrates a logical schematic of a system forcryptographically secure machine learning in accordance with one or moreof the various embodiments;

FIG. 9 illustrates a logical schematic of a system for cryptographicallysecure machine learning in accordance with one or more of the variousembodiments;

FIG. 10 illustrates an overview flowchart for process 1000 for acryptographically secure machine learning (ML) in accordance with one ormore of the various embodiments;

FIG. 11 illustrates an overview flowchart for a process for acryptographically secure machine learning (ML) in accordance with one ormore of the various embodiments; and

FIG. 12 illustrates a flowchart for a process for a computing an answerusing cryptographically secure machine learning (ML) in accordance withone or more of the various embodiments.

DETAILED DESCRIPTION OF THE VARIOUS EMBODIMENTS

Various embodiments now will be described more fully hereinafter withreference to the accompanying drawings, which form a part hereof, andwhich show, by way of illustration, specific exemplary embodiments bywhich the invention may be practiced. The embodiments may, however, beembodied in many different forms and should not be construed as limitedto the embodiments set forth herein; rather, these embodiments areprovided so that this disclosure will be thorough and complete, and willfully convey the scope of the embodiments to those skilled in the art.Among other things, the various embodiments may be methods, systems,media or devices. Accordingly, the various embodiments may take the formof an entirely hardware embodiment, an entirely software embodiment oran embodiment combining software and hardware aspects. The followingdetailed description is, therefore, not to be taken in a limiting sense.

Throughout the specification and claims, the following terms take themeanings explicitly associated herein, unless the context clearlydictates otherwise. The phrase “in one embodiment” as used herein doesnot necessarily refer to the same embodiment, though it may.Furthermore, the phrase “in another embodiment” as used herein does notnecessarily refer to a different embodiment, although it may. Thus, asdescribed below, various embodiments may be readily combined, withoutdeparting from the scope or spirit of the invention.

In addition, as used herein, the term “or” is an inclusive “or”operator, and is equivalent to the term “and/or,” unless the contextclearly dictates otherwise. The term “based on” is not exclusive andallows for being based on additional factors not described, unless thecontext clearly dictates otherwise. Also, throughout the specificationand the claims, the use of “when” and “responsive to” do not imply thatassociated resultant actions are required to occur immediately or withina particular time period. Instead they are used herein to indicateactions that may occur or be performed in response to one or moreconditions being met, unless the context clearly dictates otherwise. Inaddition, throughout the specification, the meaning of “a,” “an,” and“the” include plural references. The meaning of “in” includes “in” and“on.”

For example, embodiments, the following terms are also used hereinaccording to the corresponding meaning, unless the context clearlydictates otherwise.

As used herein the term, “engine” refers to logic embodied in hardwareor software instructions, which can be written in a programminglanguage, such as C, C++, Objective-C, COBOL, Java™, PHP, Perl, Python,JavaScript, Ruby, VBScript, Microsoft .NET™ languages such as C#, and/orthe like. An engine may be compiled into executable programs or writtenin interpreted programming languages. Software engines may be callablefrom other engines or from themselves. Engines described herein refer toone or more logical modules that can be merged with other engines orapplications, or can be divided into sub-engines. The engines can bestored in non-transitory computer-readable medium or computer storagedevice and be stored on and executed by one or more general purposecomputers, thus creating a special purpose computer configured toprovide the engine.

As used herein, the terms “raw data set,” or “raw data” refer to datasets provided by an organization that may represent the items to beincluded ingested for use in a machine learning repository. In someembodiments raw data may be provided in various formats. In simplecases, raw data may be provided in spreadsheets, databases, csv files,or the like. In other cases, raw data may be provided using structuredXML files, tabular formats, JSON files, or the like. In one or more ofthe various embodiments, raw data in this context may be the product oneor more preprocessing operations. For example, one or morepre-processing operations may be executed on information, such as, logfiles, data dumps, event logs, database dumps, unstructured data,structured data, or the like, or combination thereof. In some cases, thepre-processing may include data cleansing, filtering, or the like. Theparticular pre-processing operations may be specialized based on thesource, context, format, veracity of the information, or the like. Insome cases raw data may include sensitive or confidential information,such as, proprietary information, patient information, or otherpersonally identifiable information.

As used herein, the term “raw data objects” refer to objects thatcomprise raw datasets. For example, if a raw dataset is comprised of aplurality of tabular record sets, the separate tabular record sets maybe considered raw data objects.

As used herein, the term “model object” refers to an object that modelsvarious characteristics of an entity or data object. Model objects mayinclude one or more model object fields that represent features orcharacteristics. Model objects, model object fields, or model objectrelationship may be governed by a model schema.

As used herein, the term “model schema” refers to a schema that definesmodel object types, model object features, model object relationships,or the like, that may be supported by the machine learning repository.For example, raw data objects are transformed into model objects thatconform to a model schema supported by the machine learning platform.

As used herein, the term “data model” refers to a data structure thatrepresents one or more model objects and their relationships. A datamodel will conform to a model schema supported by the machine learningplatform.

As used herein, the term “parameter model” refers to a data structurethat represents one or more model objects ML models may be arranged tosupport. A data model that includes model objects may be provided to aML model if the data model satisfies the requirements of the ML model'sparameter model.

As used herein, the terms “machine learning model” or “ML model” referto machine learning models that may be arranged for scoring orevaluating model objects. The particular type of ML model and thequestions it is designed to answer will depend on the application the MLmodel targets. ML models are associated with parameter models thatdefine model objects that the ML model supports.

As used herein, the terms “tree model” or “tree data model” refer tomachine learning models that represent tree-style ML models, such as,decision trees, random forests, or boosted decision tree models. Theparticular type of tree model and the questions it is designed to answerwill depend on the design, purpose, or application the tree model.

As used herein, the term “secure machine learning model” refers to amachine learning model that is arranged such that one or more internalvalues or components are obscured using one or more cryptographicmethods. The purpose of the model, its shape, parameter model, and typeof questions it is trained to answer may be exposed or discoverable.However, the values of one or more internal components, such as,coefficients, threshold values, weights, or the like, are encrypted tohide the details of the model. Accordingly, one organization may design,train, or tune a secure ML model and let other organizations use itwithout divulging some or all of the internal details of the ML model.

The following briefly describes the various embodiments to provide abasic understanding of some aspects of the invention. This briefdescription is not intended as an extensive overview. It is not intendedto identify key or critical elements, or to delineate or otherwisenarrow the scope. Its purpose is merely to present some concepts in asimplified form as a prelude to the more detailed description that ispresented later.

Briefly stated, embodiments are directed towards classifying data. Inone or more of the various embodiments, a machine learning (ML) enginemay be employed to select an ML model that may employ a cryptographicmulti-party computation (MPC) protocol based on model preferencesprovided by a client such that the provided model preferences includeboth a question and a parameter model. In one or more of the variousembodiments, selecting the ML model may include: comparing the parametermodel with one or more other parameter models that may be associatedwith one or more ML models such that the one or more ML models remainencrypted during the comparison; and selecting the ML model from the oneor more ML models based on the comparison.

In one or more of the various embodiments, a randomness engine may beemployed to provide one or more random values and one or more otherrandom values based on the MPC protocol such that the one or more randomvalues are provided to the client and the one or more other randomvalues may be provided to an answer engine. In some embodiments, the oneor more random values and the one or more other random values may becorrelated with each other based on the MPC protocol. In one or more ofthe various embodiments, employing the randomness engine, may include:distributing a first of instance of the randomness engine and a firstrandom information datastore to the client such that the one or morerandom values are provided from the first random information datastore;distributing a second instance of the randomness engine and a secondrandom information datastore to the answer engine such that the one ormore other random values are provided from the second random informationdatastore; and employing the answer engine to synchronize the firstrandom information datastore and second random information datastore tomaintain a correlation between the one or more random values and the oneor more other random values.

Further, in one or more of the various embodiments, the randomnessengine may be employed to generate randomness information that includesthe one or more random values and the one or more random values based onthe MPC protocol. In one or more of the various embodiments, therandomness engine may be employed to store the randomness information ina persistent data store. In one or more of the various embodiments, therandomness engine may be employed to discard the one or more randomvalues from the persistent datastore as they are provided to the client.And, in one or more of the various embodiments, the randomness enginemay be employed to discard the one or more other random values from thepersistent datastore as they are provided to the answer engine.

In one or more of the various embodiments, the answer engine may beemployed to receive, from the client, one or more input values thatcorrespond to one or more fields in the parameter model such that theone or more input values may be based on the MPC protocol and the one ormore random values. In one or more of the various embodiments, the oneor more input values may be secured using oblivious input selection.

In one or more of the various embodiments, the answer engine may beemployed to provide one or more partial results to the question based onthe ML model, the one or more input values, and the MPC protocol.

In one or more of the various embodiments, the answer engine may beemployed to provide the one or more partial results to the client suchthat a ML client engine provides one or more answers to the questionbased on the one or more partial results. In one or more of the variousembodiments, providing the one or more partial results to the questionmay include: evaluating nodes of one or more decision trees included inthe ML model by computing secure partial results that correspond to eachnode of the one or more decision trees; generating a polynomial from thesecure partial results that represents a path through the one or moredecision trees; and providing the polynomial to the client and theanswer engine such that the terms of the polynomial are secured usingthe MPC protocol. In one or more of the various embodiments, providingthe one or more partial results to the question, may include, evaluatingone or more of, one or more decision tree models, one or more randomforest models, one or more heuristics, or one or more filters, that areincluded in the selected ML model.

Illustrated Operating Environment

FIG. 1 shows components of one embodiment of an environment in whichembodiments of the invention may be practiced. Not all the componentsmay be required to practice the invention, and variations in thearrangement and type of the components may be made without departingfrom the spirit or scope of the invention. As shown, system 100 of FIG.1 includes local area networks (LANs)/wide area networks(WANs)—(network) 110, wireless network 108, client computers 102-105,machine learning platform server computer 116, or the like.

At least one embodiment of client computers 102-105 is described in moredetail below in conjunction with FIG. 2. In one embodiment, at leastsome of client computers 102-105 may operate over one or more wiredand/or wireless networks, such as networks 108, and/or 110.

Generally, client computers 102-105 may include virtually any computercapable of communicating over a network to send and receive information,perform various online activities, offline actions, or the like. In oneembodiment, one or more of client computers 102-105 may be configured tooperate within a business or other entity to perform a variety ofservices for the business or other entity. For example, client computers102-105 may be configured to operate as a web server, firewall, clientapplication, media player, mobile telephone, game console, desktopcomputer, or the like. However, client computers 102-105 are notconstrained to these services and may also be employed, for example, asfor end-user computing in other embodiments. It should be recognizedthat more or less client computers (as shown in FIG. 1) may be includedwithin a system such as described herein, and embodiments are thereforenot constrained by the number or type of client computers employed.

Computers that may operate as client computer 102 may include computersthat typically connect using a wired or wireless communications mediumsuch as personal computers, multiprocessor systems, microprocessor-basedor programmable electronic devices, network PCs, or the like. In someembodiments, client computers 102-105 may include virtually any portablecomputer capable of connecting to another computer and receivinginformation such as, laptop computer 103, mobile computer 104, tabletcomputers 105, or the like. However, portable computers are not solimited and may also include other portable computers such as cellulartelephones, display pagers, radio frequency (RF) devices, infrared (IR)devices, Personal Digital Assistants (PDAs), handheld computers,wearable computers, integrated devices combining one or more of thepreceding computers, or the like. As such, client computers 102-105typically range widely in terms of capabilities and features. Moreover,client computers 102-105 may access various computing applications,including a browser, or other web-based application.

A web-enabled client computer may include a browser application that isconfigured to receive and to send web pages, web-based messages, and thelike. The browser application may be configured to receive and displaygraphics, text, multimedia, and the like, employing virtually anyweb-based language, including a wireless application protocol messages(WAP), and the like. In one embodiment, the browser application isenabled to employ Handheld Device Markup Language (HDML), WirelessMarkup Language (WML), WMLScript, JavaScript, Standard GeneralizedMarkup Language (SGML), HyperText Markup Language (HTML), eXtensibleMarkup Language (XML), JavaScript Object Notation (JSON), or the like,to display and send a message. In one embodiment, a user of the clientcomputer may employ the browser application to perform variousactivities over a network (online). However, another application mayalso be used to perform various online activities.

Client computers 102-105 also may include at least one other clientapplication that is configured to receive and/or send content betweenanother computer. The client application may include a capability tosend and/or receive content, or the like. The client application mayfurther provide information that identifies itself, including a type,capability, name, and the like. In one embodiment, client computers102-105 may uniquely identify themselves through any of a variety ofmechanisms, including an Internet Protocol (IP) address, a phone number,Mobile Identification Number (MIN), an electronic serial number (ESN),universally unique identifiers (UUIDs), or other device identifiers.Such information may be provided in a network packet, or the like, sentbetween other client computers, machine learning platform servercomputer 116, or other computers.

Client computers 102-105 may further be configured to include a clientapplication that enables an end-user to log into an end-user accountthat may be managed by another computer, such as machine learningplatform server computer 116, or the like. Such an end-user account, inone non-limiting example, may be configured to enable the end-user tomanage one or more online activities, including in one non-limitingexample, project management, software development, systemadministration, data modeling, search activities, social networkingactivities, browse various websites, communicate with other users,provide inputs for secure machine learning classification, or the like.Also, client computers may be arranged to enable users to displayreports, interactive user-interfaces, or results provided by machinelearning platform server computer 116.

Wireless network 108 is configured to couple client computers 103-105and its components with network 110. Wireless network 108 may includeany of a variety of wireless sub-networks that may further overlaystand-alone ad-hoc networks, and the like, to provide aninfrastructure-oriented connection for client computers 103-105. Suchsub-networks may include mesh networks, Wireless LAN (WLAN) networks,cellular networks, and the like. In one embodiment, the system mayinclude more than one wireless network.

Wireless network 108 may further include an autonomous system ofterminals, gateways, routers, and the like connected by wireless radiolinks, and the like. These connectors may be configured to move freelyand randomly and organize themselves arbitrarily, such that the topologyof wireless network 108 may change rapidly.

Wireless network 108 may further employ a plurality of accesstechnologies including 2nd (2G), 3rd (3G), 4th (4G) 5th (5G) generationradio access for cellular systems, WLAN, Wireless Router (WR) mesh, andthe like. Access technologies such as 2G, 3G, 4G, 5G, and future accessnetworks may enable wide area coverage for mobile computers, such asclient computers 103-105 with various degrees of mobility. In onenon-limiting example, wireless network 108 may enable a radio connectionthrough a radio network access such as Global System for Mobilcommunication (GSM), General Packet Radio Services (GPRS), Enhanced DataGSM Environment (EDGE), code division multiple access (CDMA), timedivision multiple access (TDMA), Wideband Code Division Multiple Access(WCDMA), High Speed Downlink Packet Access (HSDPA), Long Term Evolution(LTE), and the like. In essence, wireless network 108 may includevirtually any wireless communication mechanism by which information maytravel between client computers 103-105 and another computer, network, acloud-based network, a cloud instance, or the like.

Network 110 is configured to couple network computers with othercomputers, including, machine learning platform server computer 116,client computers 102-105 through wireless network 108, or the like.Network 110 is enabled to employ any form of computer readable media forcommunicating information from one electronic device to another. Also,network 110 can include the Internet in addition to local area networks(LANs), wide area networks (WANs), direct connections, such as through auniversal serial bus (USB) port, other forms of computer-readable media,or any combination thereof. On an interconnected set of LANs, includingthose based on differing architectures and protocols, a router acts as alink between LANs, enabling messages to be sent from one to another. Inaddition, communication links within LANs typically include twisted wirepair or coaxial cable, while communication links between networks mayutilize analog telephone lines, full or fractional dedicated digitallines including T1, T2, T3, and T4, and/or other carrier mechanismsincluding, for example, E-carriers, Integrated Services Digital Networks(ISDNs), Digital Subscriber Lines (DSLs), wireless links includingsatellite links, or other communications links known to those skilled inthe art. Moreover, communication links may further employ any of avariety of digital signaling technologies, including without limit, forexample, DS-0, DS-1, DS-2, DS-3, DS-4, OC-3, OC-12, OC-48, or the like.Furthermore, remote computers and other related electronic devices couldbe remotely connected to either LANs or WANs via a modem and temporarytelephone link. In one embodiment, network 110 may be configured totransport information of an Internet Protocol (IP).

Additionally, communication media typically embodies computer readableinstructions, data structures, program modules, or other transportmechanism and includes any information non-transitory delivery media ortransitory delivery media. By way of example, communication mediaincludes wired media such as twisted pair, coaxial cable, fiber optics,wave guides, and other wired media and wireless media such as acoustic,RF, infrared, and other wireless media.

One embodiment of machine learning engine server computer 116 isdescribed in more detail below in conjunction with FIG. 3. Briefly,however, machine learning model platform server computer 116 includesvirtually any network computer that is specialized to provide datamodeling or machine learning services as described herein.

Although FIG. 1 illustrates machine learning platform server computer116 as a single computer, the innovations and/or embodiments are not solimited. For example, one or more functions of machine learning platformserver computer 116, or the like, may be distributed across one or moredistinct network computers. Moreover, machine learning model platformserver computer 116 is not limited to a particular configuration such asthe one shown in FIG. 1. Thus, in one embodiment, machine learningplatform server computer 116 may be implemented using a plurality ofnetwork computers. In other embodiments, server computers may beimplemented using a plurality of network computers in a clusterarchitecture, a peer-to-peer architecture, or the like. Further, in atleast one of the various embodiments, machine learning model platformserver computer 116 may be implemented using one or more cloud instancesin one or more cloud networks. Accordingly, these innovations andembodiments are not to be construed as being limited to a singleenvironment, and other configurations, and architectures are alsoenvisaged.

Illustrative Client Computer

FIG. 2 shows one embodiment of client computer 200 that may include moreor less components than those shown. Client computer 200 may represent,for example, at least one embodiment of mobile computers or clientcomputers shown in FIG. 1.

Client computer 200 may include one or more processors, such asprocessor 202 in communication with memory 204 via bus 228. Clientcomputer 200 may also include power supply 230, network interface 232,audio interface 256, display 250, keypad 252, illuminator 254, videointerface 242, input/output interface 238, haptic interface 264, globalpositioning systems (GPS) receiver 258, open air gesture interface 260,temperature interface 262, camera(s) 240, projector 246, pointing deviceinterface 266, processor-readable stationary storage device 234, andprocessor-readable removable storage device 236. Client computer 200 mayoptionally communicate with a base station (not shown), or directly withanother computer. And in one embodiment, although not shown, agyroscope, accelerometer, or the like may be employed within clientcomputer 200 to measuring and/or maintaining an orientation of clientcomputer 200.

Power supply 230 may provide power to client computer 200. Arechargeable or non-rechargeable battery may be used to provide power.The power may also be provided by an external power source, such as anAC adapter or a powered docking cradle that supplements and/or rechargesthe battery.

Network interface 232 includes circuitry for coupling client computer200 to one or more networks, and is constructed for use with one or morecommunication protocols and technologies including, but not limited to,protocols and technologies that implement any portion of the OSI modelfor mobile communication (GSM), CDMA, time division multiple access(TDMA), UDP, TCP/IP, SMS, MMS, GPRS, WAP, UWB, WiMax, SIP/RTP, GPRS,EDGE, WCDMA, LTE, UMTS, OFDM, CDMA2000, EV-DO, HSDPA, or any of avariety of other wireless communication protocols. Network interface 232is sometimes known as a transceiver, transceiving device, or networkinterface card (MC).

Audio interface 256 may be arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 256 maybe coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 256 can also be usedfor input to or control of client computer 200, e.g., using voicerecognition, detecting touch based on sound, and the like.

Display 250 may be a liquid crystal display (LCD), gas plasma,electronic ink, electronic paper, light emitting diode (LED), OrganicLED (OLED) or any other type of light reflective or light transmissivedisplay that can be used with a computer. Display 250 may also include atouch interface 244 arranged to receive input from an object such as astylus or a digit from a human hand, and may use resistive, capacitive,surface acoustic wave (SAW), infrared, radar, or other technologies tosense touch and/or gestures.

Projector 246 may be a remote handheld projector or an integratedprojector that is capable of projecting an image on a remote wall or anyother reflective object such as a remote screen.

Video interface 242 may be arranged to capture video images, such as astill photo, a video segment, an infrared video, or the like. Forexample, video interface 242 may be coupled to a digital video camera, aweb-camera, or the like. Video interface 242 may comprise a lens, animage sensor, and other electronics. Image sensors may include acomplementary metal-oxide-semiconductor (CMOS) integrated circuit,charge-coupled device (CCD), or any other integrated circuit for sensinglight.

Keypad 252 may comprise any input device arranged to receive input froma user. For example, keypad 252 may include a push button numeric dial,or a keyboard. Keypad 252 may also include command buttons that areassociated with selecting and sending images.

Illuminator 254 may provide a status indication and/or provide light.Illuminator 254 may remain active for specific periods of time or inresponse to events. For example, when illuminator 254 is active, it maybacklight the buttons on keypad 252 and stay on while the clientcomputer is powered. Also, illuminator 254 may backlight these buttonsin various patterns when particular actions are performed, such asdialing another client computer. Illuminator 254 may also cause lightsources positioned within a transparent or translucent case of theclient computer to illuminate in response to actions.

Further, client computer 200 may also comprise hardware security module(HSM) 268 for providing additional tamper resistant safeguards forgenerating, storing and/or using security/cryptographic information suchas, keys, digital certificates, passwords, passphrases, two-factorauthentication information, or the like. In some embodiments, hardwaresecurity module may be employed to support one or more standard publickey infrastructures (PKI), and may be employed to generate, manage,and/or store keys pairs, or the like. In some embodiments, HSM 268 maybe arranged as a hardware card that may be added to a client computer.

Client computer 200 may also comprise input/output interface 238 forcommunicating with external peripheral devices or other computers suchas other client computers and network computers. The peripheral devicesmay include an audio headset, display screen glasses, remote speakersystem, remote speaker and microphone system, and the like. Input/outputinterface 238 can utilize one or more technologies, such as UniversalSerial Bus (USB), Infrared, WiFi, WiMax, Bluetooth™, Bluetooth LowEnergy. or the like.

Haptic interface 264 may be arranged to provide tactile feedback to auser of the client computer. For example, the haptic interface 264 maybe employed to vibrate client computer 200 in a particular way whenanother user of a computer is calling. Open air gesture interface 260may sense physical gestures of a user of client computer 200, forexample, by using single or stereo video cameras, radar, a gyroscopicsensor inside a computer held or worn by the user, or the like. Camera240 may be used to track physical eye movements of a user of clientcomputer 200.

In at least one of the various embodiments, client computer 200 may alsoinclude sensors 262 for determining geolocation information (e.g., GPS),monitoring electrical power conditions (e.g., voltage sensors, currentsensors, frequency sensors, and so on), monitoring weather (e.g.,thermostats, barometers, anemometers, humidity detectors, precipitationscales, or the like), light monitoring, audio monitoring, motionsensors, or the like. Sensors 262 may be one or more hardware sensorsthat collect and/or measure data that is external to client computer 200

GPS transceiver 258 can determine the physical coordinates of clientcomputer 200 on the surface of the Earth, which typically outputs alocation as latitude and longitude values. GPS transceiver 258 can alsoemploy other geo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference(E-OTD), Cell Identifier (CI), Service Area Identifier (SAI), EnhancedTiming Advance (ETA), Base Station Subsystem (BSS), or the like, tofurther determine the physical location of client computer 200 on thesurface of the Earth. It is understood that under different conditions,GPS transceiver 258 can determine a physical location for clientcomputer 200. In at least one embodiment, however, client computer 200may, through other components, provide other information that may beemployed to determine a physical location of the client computer,including for example, a Media Access Control (MAC) address, IP address,and the like.

In at least one of the various embodiments, applications, such as,secure machine learning client application 222, web browser 226, or thelike, may be arranged to employ geo-location information to select oneor more localization features, such as, time zones, languages,currencies, calendar formatting, or the like. Localization features maybe used in user-interfaces, reports, as well as internal processesand/or databases. In at least one of the various embodiments,geo-location information used for selecting localization information maybe provided by GPS 258. Also, in some embodiments, geolocationinformation may include information provided using one or moregeolocation protocols over the networks, such as, wireless network 108and/or network 111.

Human interface components can be peripheral devices that are physicallyseparate from client computer 200, allowing for remote input and/oroutput to client computer 200. For example, information routed asdescribed here through human interface components such as display 250 orkeyboard 252 can instead be routed through network interface 232 toappropriate human interface components located remotely. Examples ofhuman interface peripheral components that may be remote include, butare not limited to, audio devices, pointing devices, keypads, displays,cameras, projectors, and the like. These peripheral components maycommunicate over a Pico Network such as Bluetooth™, Zigbee™, BluetoothLow Energy, or the like. One non-limiting example of a client computerwith such peripheral human interface components is a wearable computer,which might include a remote pico projector along with one or morecameras that remotely communicate with a separately located clientcomputer to sense a user's gestures toward portions of an imageprojected by the pico projector onto a reflected surface such as a wallor the user's hand.

A client computer may include web browser application 226 that may beconfigured to receive and to send web pages, web-based messages,graphics, text, multimedia, and the like. The client computer's browserapplication may employ virtually any programming language, including awireless application protocol messages (WAP), and the like. In at leastone embodiment, the browser application is enabled to employ HandheldDevice Markup Language (HDML), Wireless Markup Language (WML),WMLScript, JavaScript, Standard Generalized Markup Language (SGML),HyperText Markup Language (HTML), eXtensible Markup Language (XML),HTML5, and the like.

Memory 204 may include RAM, ROM, and/or other types of memory. Memory204 illustrates an example of computer-readable storage media (devices)for storage of information such as computer-readable instructions, datastructures, program modules or other data. Memory 204 may store UnifiedExtensible Firmware Interface (UEFI) 208 for controlling low-leveloperation of client computer 200. The memory may also store operatingsystem 206 for controlling the operation of client computer 200. It willbe appreciated that this component may include a general-purposeoperating system such as a version of UNIX, or LINUX™, or a specializedclient computer communication operating system such as Windows Phone™.The operating system may include, or interface with a Java and/orJavaScript virtual machine modules that enable control of hardwarecomponents and/or operating system operations via Java applicationprograms or JavaScript programs.

Memory 204 may further include one or more data storage 210, which canbe utilized by client computer 200 to store, among other things,applications 220 and/or other data. For example, data storage 210 mayalso be employed to store information that describes variouscapabilities of client computer 200. The information may then beprovided to another device or computer based on any of a variety ofevents, including being sent as part of a header during a communication,sent upon request, or the like. Data storage 210 may also be employed tostore social networking information including address books, buddylists, aliases, user profile information, user credentials, or the like.Data storage 210 may further include program code, data, algorithms, andthe like, for use by a processor, such as processor 202 to execute andperform actions. In one embodiment, at least some of data storage 210might also be stored on another component of client computer 200,including, but not limited to, non-transitory processor-readableremovable storage device 236, processor-readable stationary storagedevice 234, or even external to the client computer.

Applications 220 may include computer executable instructions which,when executed by client computer 200, transmit, receive, and/orotherwise process instructions and data. Applications 220 may include,for example, secure machine learning client application 222, web browser226, or the like. In at least one of the various embodiments, securemachine learning client application 222 may be used to interact with amachine learning platform server computer, such as machine learningplatform server computer 116.

Other examples of application programs include calendars, searchprograms, email client applications, IM applications, SMS applications,Voice Over Internet Protocol (VOIP) applications, contact managers, taskmanagers, transcoders, database programs, word processing programs,security applications, spreadsheet programs, games, search programs, andso forth.

Additionally, in one or more embodiments (not shown in the figures),client computer 200 may include one or more embedded logic hardwaredevices instead of one or more CPUs, such as, an Application SpecificIntegrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs),Programmable Array Logic (PAL), or the like, or combination thereof. Theembedded logic hardware devices may directly execute embedded logic toperform actions. Also, in one or more embodiments (not shown in thefigures), the client computer may include one or more hardwaremicrocontrollers instead of one or more CPUs. In at least oneembodiment, the microcontrollers be system-on-a-chips (SOCs) that maydirectly execute their own embedded logic to perform actions and accesstheir own internal memory and their own external Input and OutputInterfaces (e.g., hardware pins and/or wireless transceivers) to performactions.

Illustrative Network Computer

FIG. 3 shows one embodiment of network computer 300 that may be includedin a system implementing one or more embodiments of the describedinnovations. Network computer 300 may include more or less componentsthan those shown in FIG. 3. However, the components shown are sufficientto disclose an illustrative embodiment for practicing these innovations.Network computer 300 may represent, for example, one embodiment ofmachine learning platform server computer 116 of FIG. 1.

As shown in the figure, network computer 300 includes a processor 302 incommunication with a memory 304 via a bus 328. Network computer 300 alsoincludes a power supply 330, network interface 332, audio interface 356,global positioning systems (GPS) receiver 362, display 350, keyboard352, input/output interface 338, processor-readable stationary storagedevice 334, and processor-readable removable storage device 336. Powersupply 330 provides power to network computer 300. In some embodiments,processor 302 may be a multiprocessor system that includes one or moreprocessors each having one or more processing/execution cores.

Network interface 332 includes circuitry for coupling network computer300 to one or more networks, and is constructed for use with one or morecommunication protocols and technologies including, but not limited to,protocols and technologies that implement any portion of the OpenSystems Interconnection model (OSI model), global system for mobilecommunication (GSM), code division multiple access (CDMA), time divisionmultiple access (TDMA), user datagram protocol (UDP), transmissioncontrol protocol/Internet protocol (TCP/IP), Short Message Service(SMS), Multimedia Messaging Service (MMS), general packet radio service(GPRS), WAP, ultra wide band (UWB), IEEE 802.16 WorldwideInteroperability for Microwave Access (WiMax), Session InitiationProtocol/Real-time Transport Protocol (SIP/RTP), or any of a variety ofother wired and wireless communication protocols. Network interface 332is sometimes known as a transceiver, transceiving device, or networkinterface card (NIC). Network computer 300 may optionally communicatewith a base station (not shown), or directly with another computer.

Audio interface 356 is arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 356 maybe coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 356 can also be usedfor input to or control of network computer 300, for example, usingvoice recognition.

Display 350 may be a liquid crystal display (LCD), gas plasma,electronic ink, light emitting diode (LED), Organic LED (OLED) or anyother type of light reflective or light transmissive display that can beused with a computer. Display 350 may be a handheld projector or picoprojector capable of projecting an image on a wall or other object.

Network computer 300 may also comprise input/output interface 338 forcommunicating with external devices or computers not shown in FIG. 3.Input/output interface 338 can utilize one or more wired or wirelesscommunication technologies, such as USB™, Firewire™, WiFi, WiMax,Thunderbolt™, Infrared, Bluetooth™, Zigbee™, serial port, parallel port,and the like.

GPS transceiver 362 can determine the physical coordinates of networkcomputer 300 on the surface of the Earth, which typically outputs alocation as latitude and longitude values. GPS transceiver 362 can alsoemploy other geo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference(E-OTD), Cell Identifier (CI), Service Area Identifier (SAI), EnhancedTiming Advance (ETA), Base Station Subsystem (BSS), or the like, tofurther determine the physical location of network computer 300 on thesurface of the Earth. It is understood that under different conditions,GPS transceiver 362 can determine a physical location for networkcomputer 300.

Network computer 300 may also include sensors 364 for determininggeolocation information (e.g., GPS), monitoring electrical powerconditions (e.g., voltage sensors, current sensors, frequency sensors,and so on), monitoring weather (e.g., thermostats, barometers,anemometers, humidity detectors, precipitation scales, or the like),light monitoring, audio monitoring, motion sensors, or the like. Sensors364 may be one or more hardware sensors that collect and/or measure datathat is external to network computer 300

In at least one embodiment, however, network computer 300 may, throughother components, provide other information that may be employed todetermine a physical location of the client computer, including forexample, a Media Access Control (MAC) address, IP address, and the like.

Human interface components can be physically separate from networkcomputer 300, allowing for remote input and/or output to networkcomputer 300. For example, information routed as described here throughhuman interface components such as display 350 or keyboard 352 caninstead be routed through the network interface 332 to appropriate humaninterface components located elsewhere on the network. Human interfacecomponents include any component that allows the computer to take inputfrom, or send output to, a human user of a computer. Accordingly,pointing devices such as mice, styluses, track balls, or the like, maycommunicate through pointing device interface 358 to receive user input.

Memory 304 may include Random Access Memory (RAM), Read-Only Memory(ROM), and/or other types of non-transitory computer readable and/orwriteable media. Memory 304 illustrates an example of computer-readablestorage media (devices) for storage of information such ascomputer-readable instructions, data structures, program modules orother data. Memory 304 stores a unified extensible firmware interface(UEFI) 308 for controlling low-level operation of network computer 300.The memory also stores an operating system 306 for controlling theoperation of network computer 300. It will be appreciated that thiscomponent may include a general-purpose operating system such as aversion of UNIX, or LINUX™, or a specialized operating system such asMicrosoft Corporation's Windows® operating system, or the AppleCorporation's OSX® operating system. The operating system may include,or interface with a Java virtual machine module that enables control ofhardware components and/or operating system operations via Javaapplication programs. Likewise, other runtime environments may beincluded.

Memory 304 may further include one or more data storage 310, which canbe utilized by network computer 300 to store, among other things,applications 320 and/or other data. For example, data storage 310 mayalso be employed to store information that describes variouscapabilities of network computer 300. The information may then beprovided to another device or computer based on any of a variety ofevents, including being sent as part of a header during a communication,sent upon request, or the like. Data storage 410 may also be employed tostore social networking information including address books, buddylists, aliases, user profile information, or the like. Data storage 310may further include program code, data, algorithms, and the like, foruse by one or more processors, such as processor 302 to execute andperform actions such as those actions described below. In oneembodiment, at least some of data storage 310 might also be stored onanother component of network computer 300, including, but not limitedto, non-transitory media inside processor-readable removable storagedevice 336, processor-readable stationary storage device 334, or anyother computer-readable storage device within network computer 300, oreven external to network computer 300. Data storage 310 may include, forexample, machine learning (ML) models 314, correlated randomness 316,datasets 317 (e.g., customer data sets, validation data sets, trainingdata sets, or the like), or the like.

Applications 320 may include computer executable instructions which,when executed by network computer 300, transmit, receive, and/orotherwise process messages (e.g., SMS, Multimedia Messaging Service(MMS), Instant Message (IM), email, and/or other messages), audio,video, and enable telecommunication with another user of another mobilecomputer. Other examples of application programs include calendars,search programs, email client applications, IM applications, SMSapplications, Voice Over Internet Protocol (VOIP) applications, contactmanagers, task managers, transcoders, database programs, word processingprograms, security applications, spreadsheet programs, games, searchprograms, and so forth. Applications 320 may include secure machinelearning (ML) engine 322, ingestion engine 324, randomness engine 326,secure ML model answer engine 329, other applications 331, or the like,that may perform actions further described below. In at least one of thevarious embodiments, one or more of the applications may be implementedas modules and/or components of another application. Further, in atleast one of the various embodiments, applications may be implemented asoperating system extensions, modules, plugins, or the like.

In at least one of the various embodiments, applications, such as,secure machine learning (ML) engine 322, ingestion engine 324,randomness engine 326, secure ML model answer engine 329, otherapplications 331, or the like, may be arranged to employ geo-locationinformation to select one or more localization features, such as, timezones, languages, currencies, calendar formatting, or the like.Localization features may be used in user-interfaces, reports, as wellas internal processes and/or databases. In at least one of the variousembodiments, geo-location information used for selecting localizationinformation may be provided by GPS 362. Also, in some embodiments,geolocation information may include information provided using one ormore geolocation protocols over the networks, such as, wireless network108 and/or network 110.

Furthermore, in at least one of the various embodiments, secure machinelearning (ML) engine 322, ingestion engine 324, randomness engine 326,secure ML model answer engine 329, other applications 331, or the like,may be operative in a cloud-based computing environment. In at least oneof the various embodiments, these engines, and others, that comprise themachine learning model repository that may be executing within virtualmachines and/or virtual servers that may be managed in a cloud-basedbased computing environment. In at least one of the various embodiments,in this context applications including the engines may flow from onephysical network computer within the cloud-based environment to anotherdepending on performance and scaling considerations automaticallymanaged by the cloud computing environment. Likewise, in at least one ofthe various embodiments, virtual machines and/or virtual serversdedicated to one or more of secure machine learning (ML) engine 322,ingestion engine 324, randomness engine 326, secure ML model answerengine 329, other applications 331, or the like, may be provisioned andde-commissioned automatically.

Further, in some embodiments, network computer 300 may also includehardware security module (HSM) 360 for providing additional tamperresistant safeguards for generating, storing and/or usingsecurity/cryptographic information such as, keys, digital certificates,passwords, passphrases, two-factor authentication information, or thelike. In some embodiments, hardware security module may be employ tosupport one or more standard public key infrastructures (PKI), and maybe employed to generate, manage, and/or store keys pairs, or the like.In some embodiments, HSM 360 may be arranged as a hardware card that maybe installed in a network computer.

Additionally, in one or more embodiments (not shown in the figures),network computer 300 may include an one or more embedded logic hardwaredevices instead of one or more CPUs, such as, Application SpecificIntegrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs),Programmable Array Logic (PALs), or the like, or combination thereof.The one or more embedded logic hardware devices may directly execute itsembedded logic to perform actions. Also, in one or more embodiments (notshown in the figures), the network computer may include one or morehardware microcontrollers instead of one or more CPUs. In at least oneembodiment, the one or more microcontrollers may directly executeembedded logic to perform actions and access their own internal memoryand their own external Input and Output Interfaces (e.g., hardware pinsand/or wireless transceivers) to perform actions. E.g., they may bearranged as Systems On Chips (SOCs).

Illustrative Logical System Architecture

FIG. 4 shows a logical schematic of a portion of machine learningplatform system 400 for cryptographically secure machine learning inaccordance with one or more of the various embodiments. In one or moreof the various embodiments, system 400 represents logical interactionsbetween or among secure machine learning (ML) engine 322, ingestionengine 324, randomness engine 326, secure ML model answer engine 329,other applications 331, or the like, that may be hosted by one or morenetwork computers, such as, as network computer 300.

In one or more of the various embodiments, system 400 may include secureML engine 402, ML model repository 404, secure ML answer engine 406, oneor more secure inputs 408, one or more secure ML Models 410, one or moresecure ML answers 412, or the like.

In one or more of the various embodiments, secure ML answer engine 406and secure ML engine 402 may be arranged to enable cryptographicallysecure ML in accordance with one or more of the various embodiments. Insome embodiments, a client application, such as, secure ML clientapplication 222 running on a client computer, such as, client computer200, may provide cryptographically secure input data, such as, secureinputs 408, to secure ML answer engine 406. In some embodiments, secureML answer engine 408 may be arranged to employ one or more secure MLmodels, such as, secure ML model 410 to classify secure inputs 408. Insome embodiments, the results of the classification operations, such as,secure ML answer 414 may be provided to the client or user as a report,encoded data (e.g., JSON, XML, or the like), user-interface display, orthe like, or combination thereof.

In one or more of the various embodiments, secure ML engine 402 andsecure ML answer engine 406 may be arranged to support and enforce oneor more privacy preserving machine learning (PPML) protocols. In someembodiments, the PPML protocol may enable the secure ML engine toprovide ML classifications to client without disclosing the contents ofthe input data or the secure ML model details to the participants.

Accordingly, in one or more of the various embodiments, a machinelearning platform may be arranged employ secure ML engine 402 and secureML answer engine 406 to enable users to privately use one or more secureML models. In some embodiments, clients may be enabled to provide one ormore inputs for classification by one or more secure ML models such thatthe values of the one or more inputs are kept secret from everyone else.

Likewise, in one or more of the various embodiments, organizations maybe enabled to securely provide tuned and trained ML models for use byothers. Accordingly, in one or more of the various embodiments, clientsmay be enabled to use the secure ML model to classify their inputs butthey will be unable to see or access the internal details of the secureML models.

In one or more of the various embodiments, secure ML models may beassociated with a parameter model that describes the structure or typeof input data the secure ML model is compatible with. Also, in one ormore of the various embodiments, parameter models may include additionalmeta-data that describes the secure ML model. This information may beemployed by clients or the secure ML engine to select which secure MLmodel should be used to answer a client's question. Likewise, additionalmeta-data associated with a secure ML model may describe its price,classification accuracy, training level, age, names or descriptions ofthe type of classifications or answers, or the like.

In one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to execute variouscryptographic operations that enable a user (or client) to classifyinput data while keeping that the hidden from other parties, includingthe ML model owner. Accordingly, in one or more of the variousembodiments, the secure ML engine may be arranged to support one or moreMPC protocols that may enable the production of a classification resultwhile protecting the contents of the client input data from beingobserved to discovered by the secure ML engine and the secure ML modelowner. Also, in one or more of the various embodiments, the one or moreMPC protocols may protect the details of secure ML model from the clientand the secure ML engine.

Secure Machine Learning Protocols

In one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to support one or moreprotocols that enable secure multi-party computation (MPC). In someembodiments, hardware or software modules, hardware or software plugins,software libraries, ASICs, or the like, or combination thereof, may beprovided to support different MPC protocols. Thus, as additional MPCprotocols are developed, corresponding hardware or software modules,hardware or software plugins, software libraries, ASICs, or the like,may be installed to provide secure ML engine 402 or secure ML answerengine 406 the ability to execute the additional MPC protocols. Whilesome of these protocols are described in detail below, they should notbe considered limiting because these innovations contemplate the use ofadditional protocols as needed for a given application. However, thedescribed protocols are sufficient to enable one of ordinary skill inthe art to practice these innovations. Further, for clarity and brevity,the operation of secure ML protocols may be described in terms of aclient that is providing input data for classification and a secure MLmodel owner that owns the ML model being used to classify the providedinput data. However, in some embodiments, secure ML engine 402 or secureML answer 406 may be arranged to perform some or all of the protocolsteps on behalf of the client or the secure ML model owner.

In one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to employ additive secretsharing to perform computation modulo q. In one or more of the variousembodiments, a value x may be secretly shared over Z_(q) by pickingx_(i), . . . , x_(n) uniformly at random subject to the constraint thatx=Σ_(i=0) ^(n)x_(i) mod Z_(q) and then distributing each share x_(i) toeach party P_(i) (e.g., client and secure ML model owner). In somecases, [x]_(q) may denote this secret sharing.

Also, in one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to perform secure multipartycomputation (MPC) addition. Accordingly, for example, Given [x]_(q),[y]_(q) and a constant c, it is trivial for two parties to compute asecret sharing [z]_(q) corresponding to z=x+y, z=x−y, z=cx or z=x+c. Allof these operations may be performed locally without interaction betweenparties by simply adding, subtracting or multiplying the sharesrespectively for the first three cases and by having a pre-agreed party(e.g., secure ML answer engines) add the constant in the last case.Accordingly, in some embodiments, these operations may be denotedrespectively by [z]_(q)←[x]_(q)+[y]_(q), [z]_(q)←[x]_(q)−[y]_(q),[z]_(q)←c[x]_(q) and [z]_(q)←[x]_(q)+c (one party). For a secret sharing[x]_(q), the parties can open the value x by revealing their sharesx_(i).

Also, in one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to perform secure multipleparty computation (MPC) matrix multiplication. Accordingly, for example,in one or more of the various embodiments, the protocol may beparametrized by the size q of the selected ring and the dimensions (i,j)and (j, k) of the matrices, and runs with the parties P₁, . . . , P_(n).Thus, in some embodiments, a trusted secure ML answer engine or secureML engine may be arranged to select uniformly random U and V in Z_(q)^(i×j) and Z_(q) ^(j×k), respectively, compute W=UV and pre-distributessecret sharings [U]_(q), [V]_(q), [W]_(q) to the parties. The parties(e.g., clients providing input data and secure ML model owners) haveinputs [X]_(q) ∈Z_(q) ^(i×j), [Y]_(q)∈Z_(q) ^(j×k) and interact asfollows:

1) Locally compute [D]_(q)=[X]_(q)−[U]_(q) and [E]_(q)=[Y]_(q)−[V]_(q),then open D and E.

2) One party locally computes [Z]_(q)=[W]_(q)+E[U]_(q)+D[V]_(q)+DE,while the other computes [Z]_(q)=[W]_(q)+E[U]_(q)+D[V]_(q), where[Z]_(q) is a secret sharing of Z=XY.

Also, in one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to perform oblivious inputselection (OIS). Accordingly, for example, in one or more of the variousembodiments, if a first party, designated as Alice (e.g., clientproviding the input data) provides an input vector of values, x=(x₁, . .. , x_(n)), and a second party, Bob (e.g., secure ML owner) has as inputk, the index of the desired input value. In this example, let l be thebit length of the inputs to be shared and n be the dimension of theinput vector provided by the client. Accordingly, in this example, atrusted initializer, such as secure ML engine 402 or secure ML answerengine 406 pre-distributes the correlated randomness necessary for theexecution of OIS over Z₂. The protocol may proceed as follows:

1) Define y_(k)=1 and, for j∈{1, . . . , n}\{k}, y_(j)=0. For j∈{1, . .. , n} and i∈{1, . . . , l}, let x_(i,j) denote the i-th bit of x_(j).Define [y_(i)]₂ as the pair of shares (0, y_(j)) and [x_(ij)]₂ as(x_(ij), 0).

2) Compute in parallel [z_(i)]₂←Σ_(j=1) ^(n)[y_(j)]₂ [x_(j,i)]₂ for i=1,. . . , l.

3) Output [z_(i)]₂ for i ∈{1, . . . , l}.

Also, in one or more of the various embodiments, secure ML engine 402 orsecure ML answer engine 406 may be arranged to securely or privatelyexecute one or more decision tree protocols associated with the secureML model being used. Accordingly, for example, in one or more of thevarious embodiments, the first party, Alice (a client) may provideinputs x=(x₁, . . . , x_(n))∈R and the secure ML answer engine willemploy a secure ML model to provide a corresponding classificationresult such as true or false. In one or more of the various embodiments,the second party, Bob (which may be the secure ML engine or the secureML model) provides the secure ML model D=H, w), where P is thepolynomial representation of the decision tree incorporated in thesecure ML model, H is data structure arranged to map internal nodes ofthe secure ML model decision tree to specific input features provided inthe input data by the client (e.g., Alice) and w may be a vector ofthreshold values that correspond the decision tree included in thesecure ML model. Note, in one or more of the various embodiments, thedecision tree is described as being “included” the secure ML modelbecause in some embodiments a secure ML model may include more than onedecision tree or additional model elements such as heuristics, filters,or the like, that may be evaluated separately.

In one or more of the various embodiments, the polynomial P may be a sumof terms such that each term corresponds to one possible path in thedecision tree; in a binary classification tree, only the paths that leadto same result may be recorded (e.g., all paths that lead to true or allpaths that lead to false). If a certain set of inputs followed one suchpath of the tree, the corresponding term would evaluate to one while theremaining terms evaluate to zero. For example, the decision tree modelin FIG. 5 has three resulting comparisons when evaluating the tree, z1,z2, z3 and its polynomial would be P(z₁, z₂, z₃)=z₁z₂ +z₁z₃. For a valuetruth value or bit a, we let ā represent its negation.

Alice (e.g., the client) has as input a feature vector x and Bob (secureML model owner) has a decision tree model D=(P,H,w). Alice and Bobproceed as follows:

1) Let n be the number of unique comparisons in p. For i=1, . . . , n,Alice and Bob obtain bitwise secret sharings of x_(H(i)) by using OISwith inputs x₁, . . . , x_(n) from Alice and input H(i) from Bob.

2) For i=1, . . . , n, Alice and Bob securely compare x_(H(i)) andw_(i). For the input w_(i), Bob inputs its bit representation and Aliceinputs zeros. Let [z_(i)]₂ denote the result.

3) Alice and Bob securely evaluate the polynomial P using secureaddition and multiplication. Let [σ]₂ denote the result. [σ]₂ is thenopened to Alice who reconstructs a.

In one or more of the various embodiments, various step of the abovedescribed protocols may be compiled in one or more of softwarelibraries, FPGAs, ASICs, instructions stored in EEPROMs, or the like, orcombination thereof.

FIG. 5 illustrates a logical representation of tree model 500 that maybe part of a secure ML model arranged for tree-based classifiers inaccordance with one or more of the various embodiments. Tree model 500is referred to in the discussion above for FIG. 4. In one or more of thevarious embodiments, secure ML engines may be arranged to support MLmodels or tree models that have various shapes or structure. In one ormore of the various embodiments, the secure multiparty computationmethods used by a secure ML engine may be adapted or varied depending onthe structure of a given secure ML model. In one or more of the variousembodiments, the particular shape or structure of a given secure MLmodel may be shared with the secure ML engine to enable it select a MPCprotocol that may be compatible with the secure ML model.

In one or more of the various embodiments, as described herein, secureML engines may be arranged to identify one or more secure ML models thatmay be able to answer the client's question. Accordingly, in one or moreof the various embodiments, the MPC protocol used to evaluate theclient's input data may be different depending on the structure of theselected model.

In one or more of the various embodiments, the secure ML model may beassociated with meta-data that identifies the type of structure of themodel. Or, in some embodiments, the secure ML model or its correspondingparameter model may define one or more MPC protocols that it may becompatible with.

In one or more of the various embodiments, tree models representingdecision trees, random forests, boosted decision tree models may includevarious data structures. For example, in some embodiments, tree models,such as tree model 500 may be represented in memory as a dictionary datastructure. In some examples, tree models may be represent using andsaved as a JSON string.

In one or more of the various embodiments, one or more tree models, suchas, tree model 500 may be associated with a list of the class labels,the input features that the model requires (e.g., its parameter model),the weights/confidence of the trees, a list of the trees themselves, orthe like.

In some embodiments, the ‘weights’ field may be present if the treemodel represents a boosted decision tree model. In one or more of thevarious embodiments, each tree model in a ML model ensemble may includecontains the following properties:

Thresholds: A list of the thresholds for each node of the tree. Thei^(th) threshold corresponds to the i^(th) feature. In some embodiments,there may be duplicate thresholds, but each feature/threshold pair maybe a unique tuple. Let t_(i) represent the threshold value of the i^(th)node.

Features: A list of the feature names for each node in the tree. Thei^(th) feature corresponds to the i^(th) threshold. There may beduplicate features, but each feature/threshold pair is a unique tupleand generally represents a unique node. In some cases, tree models mayhave nodes in different parts of the tree that have identicalfeature/threshold values. Accordingly, memory and processing resourcesmay be optimized by storing the tuple once rather than multiple times.Let f represent the feature name of the i^(th) node. Let the functionH(i) return the index of the input feature for node i.

Polynomial: A mapping of the feature/threshold tuples into arepresentation of a tree. Consider each path in a tree from its root toone of its leaves a logical AND of the result from each node in thepath. Accordingly, in some embodiments, this may be represented using adata structure, such as, an array of arrays where each internal arrayrepresents a path to a leaf in the tree and each value of the internalarray is the index of the feature/threshold tuple for the node itrepresents. Let polynomial₁ represent the nodal path of the l^(th) leaf.

Inversions: An array of arrays with the same dimensions of thepolynomial field. A value of 1 means the comparison result should beinverted. inversions_(l,i) corresponds to polynomials_(l,i) for l=0, . .. , 2^(d)

Classifiers: An array of arrays where each internal array maps to theleaf of the tree whose nodal path is represented by the correspondinginternal array of the ‘polynomial’ field. So the i^(th) array of the‘classifier’ field is the votes of the leaf attained by the thresholdcomparison of every node listed in the i^(th) array of the ‘polynomial’field evaluating to 1. The length of each internal array may be the sameas the length of the ‘classes’ field in the tree model, since eachelement of the classifier's internal arrays is that leaf's vote to thecorresponding class. In other words, each internal array corresponds tothe probability distribution over the class labels in the leaf of atree. Let classifier[i][c] be the vote for class c from leaf i.

FIG. 6 illustrates logical representation of machine learning (ML) modelenvelope 600 for scoring model objects in accordance with one or morethe various embodiments. In one or more of the various embodiments, MLmodel envelopes may be comprised of parameter model 602, secure ML model604, model output 606, or the like.

In one or more of the various embodiments, a parameter model, such asparameter model 602 may be defined in terms of the model schema. In someembodiments, parameter model 602 may act as a guard that restricts whichinput data model objects may be provided to a secure ML model. In one ormore of the various embodiments, parameter model 602 may identify one ormore portions of a data model that may be provided to a particularsecure ML model, such as secure ML model 604.

In one or more of the various embodiments, parameter models define themodel objects that are compatible or eligible for classification orscoring using a given secure ML model. For example, in one or more ofthe various embodiments, parameter model 602 may be arranged to requiremodel objects that conform to a requirements of secure ML model 604.

In one or more of the various embodiments, ML model 604 represents theactual machine learning model included in ML model envelope 600 that maybe executed by a secure ML engine or secure ML answer engine. A secureML model may accept the matching model objects that satisfy theparameter model and produce a result or classification result based onthe provided model objects.

Accordingly, in one or more of the various embodiments, input dataprovided by a client for classification by to a secure ML answer enginemay be transformed by an ingestion process to conform with a modelobject schema that is compatible with one or more parameter models forone or more secure ML models.

Further, in one or more of the various embodiments, a client may providea parameter model that corresponds to its input data to the secure MLengine without exposing the contents or values of the input data. Insome embodiments, the parameter model provided by the client may enablethe secure ML engine to discover the type or structure of the input datawithout exposing the input data values.

In one or more of the various embodiments, the particular secure MLmodel or its underlying model implementation may be arbitrary as long asit accepts the model objects that satisfy its associated parametermodel. For example, a simple secure ML model may be arranged to provideresults that indicate if a patient is old or young. Accordingly, in thisexample, the secure ML model may include parameter model that requires apatient model object that includes an age value. Thus, in this trivialexample, a secure ML model may be arranged to produce a true result ifthe age value is above a defined threshold. In contrast, in someembodiments, other secure ML models may have parameter models thatrequire several complex model objects have many model object fields.

In one or more of the various embodiments, parameter model 602 may beused by a secure ML engine, such as secure ML engine 322, to select asecure ML model for the input data provided by a client.

In one or more of the various embodiments, secure ML models may becomprised of two or more other ML models. For example, ML model envelope608 includes ML model 612 that is comprised of two or more ML models(e.g., ML models 616). Accordingly, in one or more of the variousembodiments, parameter model 610 may be arranged to accept model objectsconforming to data models that are required or compatible with theincluded ML models 616. Likewise, in one or more of the variousembodiments, model object 614 may be arranged to produce output valuesbased on a combination of sub-outputs produced by ML model 616. Note,the particular combination of the sub-outputs may be included as part ofsecure ML model 612 or model output 614 based on the application ofsecure ML model 612. In some embodiments, secure ML models that includemore than one ML model may be arranged include rules that select one ormore sub-outputs to include or combine into its ultimate output. Forexample, in some embodiments, secure ML model 612 may be arranged toexclude one or more outlying results and then provide a score that isbased on an average of the remaining results. Likewise, in someembodiments, rules may employ dynamic programming such that one or moreof the included secure ML models are used depending on the inputparameter values.

FIG. 7 illustrates a logical representation of system 700 for mappinginput data to ML parameter models in accordance with one or more of thevarious embodiments. In one or more of the various embodiments, clientmay provide secured or encrypted input data, such as input data 702. Inone or more of the various embodiments, input data 704 may be arrangedto conform a well-defined schema or model schema that is supported bysecure ML engine 702. In one or more of the various embodiments, one ormore ingestion engines, such as ingestion engine 324 may be arranged toconform input data to one or more ML model schemas supported by secureML engine 702.

In one or more of the various embodiments, ingestion engines may bearranged to apply one or more rules or configuration information totransform, map, normalize, or otherwise conform the raw input data intoinput data compatible with the ML model schema.

In one or more of the various embodiments, input parameter model 706represents a parameter model view of the input data. Essentially, inputparameter model 706 represents various metadata, such as, data types,constraints, dependencies, or the like, that may be used by secure MLengine to identify, or select, one or more compatible/matching secure MLmodels. In one or more of the various embodiments, input parametermodels, such as input parameter model 706 may be arranged to be separatefrom the input data values. Also, in some embodiments, input parametermodels may be arranged to include the cryptographically secure (e.g.,encrypted) values that correspond to the input value being provided by aclient. However, in either case, the secure ML engine is arranged toread the schema information included in the parameter model. In someembodiments, the schema information in the parameter models may bearranged to include enough data type or data structure information theenable the secure ML engine to select one or more compatible secure MLmodels. Likewise, in one or more of the various embodiments, ifparticular secure ML model has already been selected, the inputparameter model provided by the client may be compared with theparameter model of the secure ML model to confirm that the input data iscompatible with the selected secure ML model.

In one or more of the various embodiments, input parameter models, suchas input parameter model 706 may be provided to a secure ML engine, suchas, secure ML engine 702. Accordingly, in some embodiments, secure MLengine 702 may be arranged to confirm that secure ML models required toclassify the client provided input data may be compatible with the inputparameter model provided by the client.

FIGS. 8A and 8B illustrate logical schematics of different deploymentarrangements that may be used by various embodiments forcryptographically secure machine learning.

FIG. 8A illustrates a logical schematic of system 800 forcryptographically secure machine learning in accordance with one or moreof the various embodiments. in one or more of the various embodiments,randomness engines used to support secure cryptographic operations maybe distributed among different parts of the system.

Accordingly, in one or more of the various embodiments, a server orplatform hosts, such as server 802 may be arranged to include arandomness engine, such as, randomness engine 804. Also, in someembodiments, server 802 may be arranged to include a secure ML answerengine, such as, secure ML answer engine 806. Further, in one or more ofthe various embodiments, a client computer or client host, such as,client 808 may be arranged to include its own randomness engine, suchas, client randomness engine 810 as well as a client secure ML answerengine, such as client secure ML answer engine 812.

In one or more of the various embodiments, the randomness engine onserver 802 (e.g., randomness engine 804) may be arranged to communicatewith the randomness engine on client 804 (e.g., client randomness engine810). In one or more of the various embodiments, the randomness engineson server 802 and client 808 may be arranged to be compatible with eachother such that they employ one or more protocols to establishrandomness sufficient for cryptographically secure machine learning. Insome embodiments, client randomness engine 810 and randomness engine 804may be arranged to exchange handshake information used forinitialization. In other embodiments, out-of-band initializationinformation may be provided to each randomness engine separately. Forexample, seeds, salts, protocols, pre-made random values, one-time pads,or the like, may be shared over a secure connection or by other methods,such as, hand-delivered data files.

In one or more of the various embodiments, secure ML answer engine 806may be arranged to obtain randomness information from randomness engine804. Similarly, in some embodiments, client secure ML engine 812 may bearranged to obtain randomness information from client randomness engine810. In some embodiments, the different randomness engines may beco-located or otherwise locally deployed to support cryptographicoperations. In other embodiments, randomness engine may be arranged tobe distributed such that they still provide randomness information toone or more secure ML engines even though they are located or operatingon different hosts or computers.

FIG. 8B illustrates a logical schematic of system 814 forcryptographically secure machine learning in accordance with one or moreof the various embodiments. In one or more of the various embodiments, arandomness engine used to support secure cryptographic operations may beshared by different parts of the system.

Accordingly, in one or more of the various embodiments, server orplatform hosts, such as server 816 may be arranged to include arandomness engine, such as, randomness engine 820. Also, in someembodiments, server 816 may be arranged to include a secure ML answerengine, such as, secure ML answer engine 818. Further, in one or more ofthe various embodiments, a client computer or client host, such as,client 822 may be arranged to include a client secure ML answer engine,such as client secure ML answer engine 824.

In one or more of the various embodiments, the randomness engine onserver 816 (e.g., randomness engine 820) may be arranged to providerandomness information for both secure ML answer engine 806 and clientsecure ML answer engine 824

In some embodiments, similar to randomness engine 804, randomness engine820 may be arranged to exchange handshake information used forinitialization. For example, seeds, salts, protocols, pre-made randomvalues, one-time pads, or the like.

In one or more of the various embodiments, secure ML answer engine 818may be arranged to obtain randomness information from randomness engine820. And, in some embodiments, client secure ML engine 824 may bearranged to also obtain randomness information from randomness engine820. In some embodiments, the randomness engine may be co-located orotherwise included as part of the machine learning platform. In otherembodiments, randomness engines may be located or operating on differentservices, hosts, or computers.

FIG. 9 illustrates a logical schematic of system 900 forcryptographically secure machine learning in accordance with one or moreof the various embodiments. In one or more of the various embodiments,system 900 may include secure ML engine 902, secure ML answer engine904, client secure ML answer engine 906, input data 908, secure ML model910, or the like.

In one or more of the various embodiments, secure ML answer engines,such as secure ML answer engine 904 may be arranged to execute one ormore cryptographic operations to support the one or more securemultiparty computation (MPC) protocols used as part of cryptographicallysecure machine learning. In some embodiments, engines for the client orserver may be distributed to different hosts or processes. Accordingly,in this example, client secure ML answer engine 906 is shown separatefrom secure ML answer engine 402 to represent this type of embodiment.Likewise, in one or more of the various embodiments, one or more secureML answer engines may be arranged to perform operations for both theclient and server.

In one or more of the various embodiments, secure ML engines, such assecure ML engine 902 may be arranged to compute or distributepre-computed cryptographic information to clients, servers, secure MLanswer engines, or the like, or combination thereof. Accordingly, in oneor more of the various embodiments, secure ML engine 904 may be arrangedto pre-compute cryptographic information, such as, randomness,public/private key pairs, homomorphic encryption shares, or the like,that may be shared with one or more service ML answer engines as needed.

For example, in one or more of the various embodiments, pre-computinghomomorphic encryption shares improves the operation of secure ML modelanswer engines 902 by enabling secure classification to be performedfaster since the most time consuming cryptographic operations areperformed before users submit inputs to be classified.

In one or more of the various embodiments, secure machine learning 902may be arranged to facilitate or coordinate the operations to enablesecure ML answer engine 904 and client secure ML answer engine 906 tosecurely classify inputs (e.g. input 908) provided by a client usingsecure ML model 910.

As described above, secure ML model 910 represents a trained secure MLmodel that is cryptographically secured such that neither secure MLanswer engine 904 nor the client or client secure ML answer engine 906are able to observe the internal details of the trained models.

In one or more of the various embodiments, the secure ML model may bearranged to publish or otherwise expose its parameter model and othershape information (e.g., type of model, type of classifiers, or thelike) that enable the client to prepare its input data forclassification.

In one or more of the various embodiments, the client may be arranged toshare a parameter model that represents or describes the type orstructure of the input data without exposing the values of the inputdata. Accordingly, in one or more of the various embodiments, secure MLengine 902 may be arranged to identify one or more secure ML models,such as, secure ML model 910 that may be capable of answering thequestion (e.g., performing the classification) requested by the client.In some embodiments, the secure ML model may be selected or requested bya client. In such cases, in some embodiments, the secure ML engine maybe arranged to confirm that the input data is compatible with theselected secure ML model by comparing the parameter model provided bythe client with the parameter model associated with the selected secureML model.

In one or more of the various embodiments, after the client has provideda parameter model and question and the secure ML engine has selected anappropriate secure ML model, the client secure ML answer engine and thesecure ML answer engine work together to securely compute an answer tothe client question (e.g., classify the input provided by the client)using one or more secure multiparty computation protocols.

In this example, for one or more of the various embodiments,communication channel 912 represents a channel used by secure ML engine902 to coordinate with client secure ML answer engine 906 and secure MLanswer engine 904. For example, answer engines may exchange partialparameters, partial values, partial model elements, randomnessinformation, or the like, as part of computation of the answer.

In one or more of the various embodiments, the particular workflow,operations, or the like, to execute secure multiparty computation maydepending on the particular protocols being used. In some embodiments,one or more clients or one or more secure ML models may be arranged torequire particular protocols be used. For example, the structure orshape of a given secure ML model may require particular secureprotocols. Likewise, in some embodiments, in some cases the input data,the ML model, or the application may require enhanced security (or lesssecurity). Accordingly, in one or more of the various embodiments,meta-data associated with the input data, the ML model, or theapplication may define which protocol should be used. In one or more ofthe various embodiments, secure ML engine 902, secure ML answer engine904, or client secure ML answer engine 906 may be arranged to employconfiguration information provided via configuration files, rule-basedpolicies, plugins, loadable libraries, built-ins, or the like, toexecute the steps and workflows required by the selected protocols.

Generalized Operations

FIGS. 10-12 represent the generalized operations for a cryptographicallysecure machine learning in accordance with at least one of the variousembodiments. In one or more of the various embodiments, processes 1000,1100, and 1200 described in conjunction with FIGS. 10-12 may beimplemented by and/or executed on a single network computer, such asnetwork computer 300 of FIG. 3. In other embodiments, these processes orportions thereof may be implemented by and/or executed on a plurality ofnetwork computers, such as network computer 300 of FIG. 3. However,embodiments are not so limited, and various combinations of networkcomputers, client computers, virtual machines, or the like may beutilized. Further, one or more of the various embodiments, the processesdescribed in conjunction with FIGS. 10-12 may be operative in a machinelearning platform such as described in conjunction with FIGS. 4-9.

FIG. 10 illustrates an overview flowchart for process 1000 for acryptographically secure machine learning (ML) in accordance with one ormore of the various embodiments. After a start block, at block 1002, inone or more of the various embodiments, a client may provide a parametermodel and ML model preference to a secure ML engine. As described above,parameter models may be used to define or describe the input data typesor input data structures that may be compatible with one or more MLmodel. In some embodiments, clients may be provided a published APIinformation that describes the parameter models that may be accepted bythe secure machine learning platform.

Also, in one or more of the various embodiments, secure ML modelsavailable to the client may be arranged to describe the parameter modelsthat they may accept. Also, in one or more of the various embodiments,secure ML models that are available to clients may be arranged to exposeinformation that describes the types of questions (e.g.,classifications) the secure ML model can answer. In some embodiments,secure ML models may expose additional data such as the type of MLmodel, owner of the ML model, age or version of the ML model, precisionor confidence ratings, or the like. Also, In some cases, different MLmodels may be associated with a price or price plan. Accordingly, in oneor more of the various embodiments, if providing input data or aquestion, clients may declare a maximum price they are willing pay toanswer the question. Thus, in some embodiments, if the secure ML enginediscovers two or more secure ML models that otherwise meet the client'scriteria, the price of using a secure ML model may be an additionalcriteria for selecting a secure ML engine.

At block 1004, in one or more of the various embodiments, the secure MLengine may be arranged to identify or select one or more ML models basedon the information provided by the client. In one or more of the variousembodiments, the secure ML engine may query a database of ML models toidentify if one or more ML models may be available to answer theclient's question.

Accordingly, in one or more of the various embodiments, the secure MLengine may query for ML models that answer the client's question andsupport the parameter model(s) supported by the client. Likewise, insome embodiments, if the client has provided additional criteria, thesecure ML engine may be arranged to locate or identify one or morequalifying ML models.

In some cases, for some embodiments, two or more ML models may match theclient's requirements. Accordingly, in some embodiments, the secure MLengine may be arranged to employ one or more defined rules to select oneof the ML models. For example, in some embodiments, a rule may declarethat if two or more ML models satisfy the client's requirements, thenewest ML model should be used. Other examples, of selection rules mayinclude: selecting the most precise ML model, selecting the leastexpensive (e.g., lowest cost) ML model, selecting the most popular MLmodel, asking for user input to make the selection, or the like, fromamong the two or more matching ML models.

In one or more of the various embodiments, such rules may be included inconfiguration information that may be modified or customized fordifferent ML models, model owners, clients, questions, or the like. Insome embodiments, the clients may provide rules, rule preferences, orrule information as part of the model preferences it provides to thesecure ML engine.

In one or more of the various embodiments, the client may provide two ormore parameter models that represent different types of input the clientmay provide. Accordingly, the secure ML model may select a ML model thatmatches at least one of the parameter models provided by the client.

At block 1006, in one or more of the various embodiments, the secure MLengine may provide a ML model parameter model to the client. Theprovided parameter model may be consistent or compatible with theparameter model provided by the client.

In one or more of the various embodiments, the parameter model providedto the client defines the type data types, fields, data structure, orthe like, that may be compatible with the question or input dataprovided by the client.

At block 1008, in one or more of the various embodiments, correlatedcryptographically random values may be provided to the client andserver. In one or more of the various embodiments, the secure MLprotocols being used may require correlated random values. Accordingly,in some embodiments, the secure ML engine may be arranged to employ arandomness engine to generate the necessary values and to manage thedistribution of the random values for use by client secure ML answerengines, secure ML answer engines, or the like.

In one or more of the various embodiments, because one or more of thesecure ML protocols supported by a secure ML engine may use randomvalues (e.g., randomness) in well-defined ways, the secure ML engine orthe randomness engine may be arranged to generate some or all of thecorrelated values in advance of when or if they are needed. In suchcases, the secure ML engine (via its randomness engine) may be arrangedto keep track of which random values have been used. In someembodiments, policies may be defined to establish rules for handlingrandomness. For example, rules may be employed to define variousproperties or features, such as, the number of random values to computein advance, ages or timeouts of values, re-use policies, strengthpolicies (e.g., bit length of random numbers, entropy, entropy sources,or the like), rollover policies, or the like.

At block 1010, in one or more of the various embodiments, the encryptedclient input may be provided to the secure ML engine. As describedabove, clients provide the input data that they are asking a questionabout. In some embodiments, the question may be considered aclassification problem. In one or more of the various embodiments, theinput data may be encrypted before providing it to a secure ML engine orsecure ML answer engine. In some embodiments, the input data may be keptat the client. In such cases, the client may employ a client secure MLanswer engine works with a secure ML answer engine hosted or provided bythe secure ML engine that performs the secure ML protocols.

In one or more of the various embodiments, the input data may betransformed to conform with a parameter model(s) that the secure MLengine or the secure ML model requires. Accordingly, in someembodiments, the input data may comprise of one or more model objectsthat represent one or more entities the client is interested inclassifying or otherwise evaluating.

In one or more of the various embodiments, the client may trust thesecure ML platform. Accordingly, in some embodiments, the client mayprovide the input data to the secure ML engine or secure ML answerwithout encrypting it first. However, in some embodiments, the networkconnection used to communicate the input data from the client to thesecure ML platform may be secured using TLS, secure VPNs, or the like.

At block 1012, in one or more of the various embodiments, the encryptedsecure ML model information may be provided to the secure ML engine. Inone or more of the various embodiments, the secure ML model owner mayhave previously registered or published the secure ML model to a MLmodel repository managed or otherwise accessible by the secure MLengine. In some embodiments, the secure ML engine may obtain the secureML model after a client requests to use it.

In one or more of the various embodiments, the secure ML platform mayenable the secure ML model owner to keep possession of the secure MLmodel. Accordingly, the secure ML model owner may share one or moreparameter models that may be compatible with their secure ML modelsrather than sharing the entire secure ML model.

In one or more of the various embodiments, if the secure ML model ownerdoes not want share the secure ML model, one or more portions of asecure ML answer engine may be hosted on a computer controlled by thesecure ML model owner. Accordingly, in some embodiments, the securecomputation protocols may be employed while the secure ML model remainsin the possession of the secure ML model owner.

At block 1014, in one or more of the various embodiments, the secure MLanswer engine may compute the answer results and provide encryptedanswer information the client. As described above, the secure MLplatform may be enable to support one or more secure multipartycomputation protocols. Accordingly, in one or more of the variousembodiments, the secure ML platform (e.g., secure ML answer engines) maybe arranged to execute the protocols that are compatible or required bythe current operation. For example, in one or more of the variousembodiments, the client, the secure ML model owner, the secure MLplatform, or the like, may provide configuration directives that maydefine the type of secure protocol that may be followed. In someembodiments, one or more components may be configured to support two ormore protocols. Accordingly, in one or more of the various embodiments,the secure ML engine may be arranged to perform negotiation actions orhandshake actions that are performed to select a particular secureprotocol that may be compatible with all the involved parties. Uponsuccessful execution of the secure computation protocol steps, a resultmay be provided to the client as an answer to its question.

Next, control may be returned to a calling process.

FIG. 11 illustrates an overview flowchart for process 1100 for acryptographically secure machine learning (ML) in accordance with one ormore of the various embodiments. After a start block, at block 1102, inone or more of the various embodiments, a client may provide a parametermodel and ML model preference to a secure ML engine. In one or more ofthe various embodiments, the client selects input data and a question toanswer using one or more secure ML models. In this context, a questionrefers to a request to classify, score, or otherwise, evaluate the inputdata using one or more secure ML models. For example, a client may wishto classify patients as high risk or low risk for some bad outcome.Accordingly, in this example, the input data would include a modelobjects that correspond to the patient. However, the values of the ofthe model object fields for the client's patient may be sensitive suchthat the client does not want to share the patient's details. Also, insome embodiments, as mentioned above, there may be additional meta-dataor ML model preferences that may be associated with a client's requestfor an answer.

At block 1104, in one or more of the various embodiments, a secure MLmodel may be selected based on the parameter model or model preferencesprovided by the client. In one or more of the various embodiments, thesecure ML engine may be arranged to search one or more secure ML modelrepositories to identify secure ML models that a compatible with theclient's request. In some embodiments, the secure ML engine may bearranged to query one or more third-party repositories for compatiblesecure ML models. In some embodiments, in addition to its question andparameter model, the client request may include information that narrowsor restricts the search for compatible secure ML models, such as, price,precision, model type, acceptable ML model sources or owners, or thelike.

In one or more of the various embodiments, the actual secure ML modelsmay be stored separately from the secure ML engine. For example, in someembodiments, the secure ML model may register information (e.g.,parameter models, supported questions, or the like) with the secure MLengine that may be used for identify secure ML models that may becompatible with the client's question. Accordingly, in one or more ofthe various embodiments, if a remotely stored secure ML model isselected for use, the secure ML engine may retrieve from its remotelocation. In some embodiments, the secure ML model may be hosted onresources controlled by its owner. In such cases, for some embodiments,a secure ML answer engine may be deployed to resources controlled by thesecure ML model owner to execute the secure multiparty computationsnecessary compute an answer to the client's question.

At block 1106, in one or more of the various embodiments, optionally,correlated randomness may be selected by on the secure ML model. In oneor more of the various embodiments, the secure ML engine may select orcompute one or more random values or randomness based on the securemachine learning protocols being used to answer the question.

In one or more of the various embodiments, this block is indicated asbeing optional because in some cases, for some protocols distributingrandom values to the client or others may be unnecessary. For example,in some cases, the randomness may be distributed beforehand. In othercases, the randomness may be obtained from a third-party or externalservice.

At decision block 1108, in one or more of the various embodiments, ifdistributed randomness is used, control may flow to block 1110;otherwise, control may flow to block 1112. In one or more of the variousembodiments, two or more randomness engine may be distributed todifferent parts of the system. For example, in some embodiments, aclient secure ML answer engine and a randomness engine may be hosted onclient computers or compute resource while a secure ML answer engine andanother randomness engine may be hosted on a secure ML owner's computersor compute resources.

At block 1110, in one or more of the various embodiments, randomnessinformation used by the client and server may be synced. In one or moreof the various embodiments, syncing may include incrementing an indexcounter or iterator on each of the distributed randomness engine toensure that they stay synchronized. Because, in one or more of thevarious embodiments, randomness engines may be supplying correlatedrandomness to support MPC or other secure protocols. Accordingly, insome embodiments, if correlated randomness is requires, the randomvalues provided to the client and the random values provided to thesecure ML answer engine or the secure ML model owner are arranged to beused together. Thus, in one or more of the various embodiments, thesecure ML engine tracks which random values are used by which client tocomply with defined randomness policies.

In one or more of the various embodiments, the syncing process may be amessage sent to the randomness engines that indicates that the next setof random values for a MPC calculation should be used. In someembodiments, a single randomness engine may be used to distribute thenecessary random values to each participant in the secure multipartycomputations.

At block 1112, in one or more of the various embodiments, the randomnessinformation may be provided the client secure ML answer engine and theserver secure ML answer engine. In one or more of the variousembodiments, the randomness information may be communicated over anetwork, or otherwise shared with the client secure ML answer engine andthe server secure ML answer engine. Next, control may be returned to acalling process.

FIG. 12 illustrates a flowchart for process 1200 for a computing ananswer using cryptographically secure machine learning (ML) inaccordance with one or more of the various embodiments. After a startblock, at block 1202, in one or more of the various embodiments, thesecure ML engine may select a ML decision tree model. In this example,it can be assumed that the client provided a question request thatresulted in a secure ML model being selected that included one or moredecision tree models. At block 1204, in one or more of the variousembodiments, the secure ML engine may distribute randomness informationto a client that is requesting an answer and the model owner. In one ormore of the various embodiments, the distributed randomness may becorrelated random data that may be used for secure multipartycomputation. At block 1206, in one or more of the various embodiments,the secure ML engine may process the provide ML model to reduce it itspolynomial representation. As described above (e.g., FIG. 4 and FIG. 5)the decision tree may be reduced to a polynomial representation. In someembodiments, the decision tree model may be stored in a polynomialformat that may be used rather having to perform the transformation eachtime it is used. At block 1208, in one or more of the variousembodiments, private computations for each polynomial expression may becomputed. At decision block 1210, in one or more of the variousembodiments, if a leaf expression is reached, control may flow to block1212; otherwise, control may flow to block. At block 1212, in one ormore of the various embodiments, the answer may be provided to theclient. Next, control may be returned to a calling process.

It will be understood that each block of the flowchart theillustrations, and combinations of blocks in the flowchartillustrations, can be implemented by computer program instructions.These program instructions may be provided to a processor to produce amachine, such that the instructions, which execute on the processor,create means for implementing the actions specified in the flowchartblock or blocks. The computer program instructions may be executed by aprocessor to cause a series of operational steps to be performed by theprocessor to produce a computer-implemented process such that theinstructions, which execute on the processor to provide steps forimplementing the actions specified in the flowchart block or blocks. Thecomputer program instructions may also cause at least some of theoperational steps shown in the blocks of the flowcharts to be performedin parallel. Moreover, some of the steps may also be performed acrossmore than one processor, such as might arise in a multi-processorcomputer system. In addition, one or more blocks or combinations ofblocks in the flowchart illustration may also be performed concurrentlywith other blocks or combinations of blocks, or even in a differentsequence than illustrated without departing from the scope or spirit ofthe invention.

Additionally, in one or more steps or blocks, may be implemented usingembedded logic hardware, such as, an Application Specific IntegratedCircuit (ASIC), Field Programmable Gate Array (FPGA), Programmable ArrayLogic (PAL), or the like, or combination thereof, instead of a computerprogram. The embedded logic hardware may directly execute embedded logicto perform actions some or all of the actions in the one or more stepsor blocks. Also, in one or more embodiments (not shown in the figures),some or all of the actions of one or more of the steps or blocks may beperformed by a hardware microcontroller instead of a CPU. In at leastone embodiment, the microcontroller may directly execute its ownembedded logic to perform actions and access its own internal memory andits own external Input and Output Interfaces (e.g., hardware pins and/orwireless transceivers) to perform actions, such as System On a Chip(SOC), or the like.

The above specification, examples, and data provide a completedescription of the manufacture and use of the composition of theinvention. Since many embodiments of the invention can be made withoutdeparting from the spirit and scope of the invention, the inventionresides in the claims hereinafter appended.

Representative Protocol Implementation Use Case

In one or more of the various embodiments, a protocol forcryptographically secure machine learning may include: (1) Requested MLmodel and data are piped into the client side secure multipartycomputation evaluator as a j son string in the following format:{“cmd”:“score”, “modelName”:“name”, “modelID”:“id”,“data”:{“feature₁”:value₁, . . . , “feature_(n)”: value_(n)}}. The modelname and id are model identifiers that may be used to identify the ofmodel the client is requesting.

(2) The client side evaluator sends the server side evaluator the listof variable names in their given order of evaluation: [“feature₁”, . . ., “feature_(n)”]v

(3) Score model. If the model is an Adaboost model and has treeconfidence values, the confidence values may be used to multiplied intothe classifiers of each tree before starting the multiparty computationscoring on data. Each tree may be scored in parallel, or tree scoringmay be performed serially.

(a) For each tree, the server side evaluator sends the dimensions of the‘polynomial’ field to the client side evaluator. This leaks the depth ofthe tree—the only information that the client ever learns about themodel.

(b) For i=1, . . . , 2^(d)+1, the client and the server obtain bitwisesecret sharings of x_(H(i)) by executing an oblivious input selectionprotocol with inputs x₁, . . . ; x_(n) from the client and input H(i)from the server.

(c) For i=1, . . . , 2^(d)+1, securely compare x_(H(i)) and t_(i). Forthe input t_(i), the server inputs its bit representation and the clientinputs zeros. Let [[z_(i)]]₂ denote the result.

(d) Create a double array comps with dimensions identical to thepolynomial field. For i=1, . . . , 2^(d) and j=1, . . . , d (where d isthe depth of the i^(th) leaf):

comps[i][j]=x _(H(polynomial[i][j])⊕inversions[i][j]).|

(e) For i=1, . . . , 2^(d) and j=2, . . . , d, perform multi-partybitwise AND of the comparison results:comps[i][1]=comps[i][1]comps[i][j]. Rounds may be reduced by ANDing onehalf of comps[i] with the other half and repeating until there is oneelement remaining. Thus comps[i][1] now holds the resulting shares forthe selection of leaf i. If comps[i] [1] was opened now, its value wouldbe 1 while the rest are 0. The corresponding i that contains the value1, is the selected leaf for the tree.

(f) Create an integer array leafsel for i=1, . . . , 2^(d), storeleafsel[i]=−comps[i][1]. Now the bits of each element in leafsel areeither all ones or all zeroes. By securely ANDing leafsel[i] with eachvote of classifier[i], all classifiers maybe masked out except the onefor the tree's resolving leaf. Since the votes are stored as bitwiseshares of the value, they may be XOR'd with the corresponding votes fromeach leaf into one final classifier that contains the votes from theunmasked leaf.

(g) When all the trees have been scored and the shares of each finalclassifier have been calculated, the corresponding ‘votes’ from eachtree are added together via bitwise addition.

(h) Perform a secure argmax function to select the index k of thehighest vote.

(i) Open k to the client. The client can then get class[k] from theknown list of classes.

What is claimed as new and desired to be protected by Letters Patent ofthe United States is:
 1. A method for classifying data over a networkusing one or more processors, included in one or more network computers,to perform actions, comprising: employing a machine learning (ML) engineto perform actions, including: selecting an ML model that employs acryptographic multi-party computation (MPC) protocol based on modelpreferences provided by a client, wherein the provided model preferencesinclude both a question and a parameter model, and wherein the parametermodel includes one or more model objects of the ML model, and whereinthe ML engine uses the parameter model to define one or more inputvalues that are compatible with the ML model; employing a randomnessengine to perform actions, including: providing one or more randomvalues and one or more other random values based on the cryptographicMPC protocol, wherein the one or more random values are provided to theclient and the one or more other random values are provided to an answerengine; distributing a first instance of the randomness engine and afirst random information datastore to the client, wherein the one ormore random values are provided from the first random informationdatastore; and distributing a second instance of the randomness engineand a second random information datastore to the answer engine, whereinthe one or more other random values are provided from the second randominformation datastore; and employing the answer engine to performfurther actions, including: synchronizing the first random informationdatastore and second random information datastore to maintain acorrelation between the one or more random values and the one or moreother random values; receiving, from the client, a data model havingmodel objects that include the one or more input values that correspondto one or more fields of the one or more model objects in the parametermodel, wherein the one or more input values are based on thecryptographic MPC protocol and the one or more random values;determining compliance of the data model with one or more requirementsof the ML model based on a comparison of the data model to the parametermodel; in response to the data model complying with the one or morerequirements of the ML model, providing one or more partial results tothe question based on the ML model, the one or more input values, andthe cryptographic MPC protocol; and providing the one or more partialresults to the client, wherein a ML client engine provides one or moreanswers to the question based on the one or more partial results.